This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.

COVID-19 and Operational Resilience for Financial Services

07 April 2020

The impact of COVID-19 is evident everywhere, on people, organisations and the wider economy.  Having a plan in place to reduce this impact has become a global priority, particularly in the context of operational disruption.

Prior to the outbreak of COVID-19, the Prudential Regulation Authority (“PRA”) and Financial Conduct Authority (“FCA”) have had a focus on organisations’ operational resilience, as referenced in their Consultation Papers published in December 2019. Specifically, organisations are expected to ensure that they are taking appropriate steps, not only to minimise the likelihood of a disruptive event occurring, but to also reduce the impact on the provision of their key business services should that disruption occur. Linked to this, organisations are expected to be pro-active in their approach to operational resilience through scenario testing severe but plausible disruptive events to identify potential weaknesses in resilience.

Following recent events, the FCA and PRA have emphasised that they expect all organisations to have appropriate plans in place to deal with COVID-19 and implement these to ensure that clients, customers and the broader financial services market are supported. We suggest that organisations consider taking the following steps as soon as possible and ensure they are in a position to clearly evidence how and why certain decisions and actions have been taken.


  • Mobilisation needs to start from the top. Organisations should assemble a cross-functional COVID-19 crisis response team / working group led by a member of the Executive Management team. Given the responsibilities of the SMF 24, this individual should be considered
  • For succession purposes, appropriate “delegates” should be identified to step in to the leadership role should individuals become unwell or unavailable to work
  • Firms should consider the impact of COVID-19 on the roles and responsibilities of SMF holders and ensure any significant changes are communicated to the regulator via Form J and reflected in individuals’ statement of responsibilities
  • The response team should define its key responsibilities, meeting frequencies and management information requirements
  • The COVID-19 response team should provide regular updates to the Executive Committee and Board
  • There should be clear evidence of decisions made and the supporting analysis/rationale
  • The team should take responsibility for the key matters described below.

Take stock of the current state

  • The response team in the first instance should understand how consumers, clients and more broadly, business services have been and will be impacted by COVID-19
  • Identify immediate/current “strains” and “pinch points” with resources supporting the delivery of key business services i.e. people, third parties or key systems and infrastructure
  • Liaise with Human Resources to identify and assess current status of staff with respect to current/anticipated unavailability.
  • Identify and communicate with critical suppliers to understand their current status with respect to provision of outsourced activities and whether this is likely to be impacted
  • Review current crisis response and business continuity plans and revisit the criteria under which plan will be enacted, if haven’t already
  • Consider and analyse the current financial position/strength of the organisation, including key capital and liquidity buffers
  • Check current guidance released by Government to ensure alignment with organisation’s policies.

Scenario Analysis

  • Looking ahead, the crisis response team should be pro-active and identify a range of severe but plausible scenarios that could occur in the short, medium and longer term in relation to COVID-19
  • Consider the impact of these scenarios in the context of the resources which support the delivery of key business services (third parties, systems and staff) and the potential impact on clients, consumers and financial stability of the organisation
  • Develop response plans should these scenarios materialise to reduce the level of impact in the context of disruption to key business services
  • Develop internal and external communication plans for each scenario.


  • Ongoing and accurate communication will be key given the ever changing nature of the current situation. Therefore, organisations should define clear guidelines and frequency requirements for ongoing communications with staff and customers/clients
  • Consider communications from a Group context, to ensure consistent communications across different group entities
  • Ensure there is a key plan of action for communication with the regulator(s) as it is likely this will be requested. The communication should consider what the organisation is doing to minimise the disruption to its operations, details of the crisis response plan, overview of testing performed including proposed responses and planned communication arrangements with staff, customers and clients.

How we can help

BDO is well placed to help organisations on operational resilience and broader governance related matters. Specifically, BDO can provide support on organisations’ operational resilience journeys through:

  • COVID-19 resilience validation – a review of the actions already undertaken and how this is evidenced so that firms are in a strong position to both deal with disruption and clearly evidence to both the FCA and PRA what actions have been taken
  • Reviewing and advising on organisations’ governance arrangements, including management information reporting
  • Helping organisations with mapping their supporting processes, people, systems and third parties supporting the delivery of each key business service
  • Assisting organisations with developing scenarios, scenario testing and building outputs into response plans
  • Reviewing proposed responses and information, prior to being shared with the regulator(s)
  • Sharing our broader experience in respect of operational resilience.

If you’d like more information, please contact Richard Barnwell.